Re: For N. Miller

From: N. Miller (anonymous_at_discussions.microsoft.com)
Date: 08/03/05 

Date: Wed, 3 Aug 2005 00:18:37 -0700

On Tue, 02 Aug 2005 18:24:22 -0400, !:?) wrote:

> Hi N. Miller,
>
> I found out what it is.
>
> I made a Rule to Log anything using that IP in or out.
>
> It is my Browser Netscape 7.2 that makes a Inbound Domain call using the
> App (Browser) Netscape.exe and looks for a Outbound return using the
> Apps Netscape.exe, Wucrtupd.exe and Wuloader.exe.
>
> Sometimes it didn't use an App at all on the Inbound that alerted me to
> it in the first place.
>
> I can't Block the In/Outbound using the Netscape App or I can't Surf the
> Web.
>
> But I can Block the In/Outbound one's using the Windows Update Apps
> wucrtupd.exe and wuloader.exe without any problems.
>
> Why the hell does it need to use those Apps when it can use Netscape.exe
> both ways ?????
>
> And it may explain those hits on Port 80 I see too.
>
> Is this something we should worry about?
>
> Is it a type of Spyware?

Netscape should make a local connection when it is fired up. Using TCPView,
I get this (a partial listing of ports):

| TCP megumi:2211 megumi:0 LISTENING
| TCP megumi:5000 megumi:0 LISTENING
| TCP megumi:11194 megumi:0 LISTENING
| TCP megumi:44334 megumi:0 LISTENING
| TCP megumi:51975 megumi:0 LISTENING
| TCP megumi:1424 megumi:0 LISTENING
| TCP megumi:1424 localhost:1425 ESTABLISHED
| TCP megumi:1425 localhost:1424 ESTABLISHED
| TCP megumi:2198 localhost:44334 TIME_WAIT
| TCP megumi:2199 localhost:44334 ESTABLISHED
| TCP megumi:2210 megumi:0 LISTENING
| TCP megumi:2210 localhost:2211 ESTABLISHED
| TCP megumi:2211 localhost:2210 ESTABLISHED

I started with TCP port 2211 because that is what Netscape is using (I used
the KPF status window to see that; TCPView doesn't list processes on a
Windows ME computer). I stopped at the same port because that shows the
loopback port pair used by Netscape. The 1424-1425 pair is Mozilla Firefox,
and the 44334-2199 pair is Kerio Personal Firewall. These are all local
connections which must be permitted, or the browser won't work.

If you have Windows Update installed (I don't), you should expect periodic
queries by the application. But you need a good tool to sort out which
ports are related to which packets. I doubt very much that the Netscape
packets and the wucrtupd.exe/wuloader.exe are related.

May I suggest that you run netstat to see what is up? If you have Windows
XP, there should be a command that will reveal the owning processes. Or you
could visit http://www.sysinternals.com/, and download TCPView, which will
do the same thing.

> Kevin
>
> Rule "205.188.146.145" blocked (205.188.146.145,domain). Details:
> Outbound UDP packet
> Local address,service is (0.0.0.0,1176)
> Remote address,service is (205.188.146.145,domain)
> Process name is "C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE"

Okay; you are posting from:

NNTP-Posting-Host: AC8A40D9.ipt.aol.com 172.138.64.217

In one of your messages in the other thread you say, "I have Netscape for
an ISP that is owned by AOL, so AOL is my ISP's Host."

Do you have a netscape.net portal page in your browser? You must be using a
DUN to the Netscape POP. Does Netscape require that your browsr be
configured for a Netscape proxy? Hmmm. I will wait a bit. I was looking at
signing up for the 30-day trial, just to see what you might be seeing. I
might guess at normal traffic, but for those UDP packets to port 145. But
the destination is possibly a proxy, so I can't say what that is all about. 

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Relevant Pages
Quantcast